Re: [PHP] Re: ini files as config - hidden
2009/8/14 João Cândido de Souza Neto j...@consultorweb.cnt.br: I think a good solution is to put the ini file out of your html folder so only your scripts can read it. I agree, and I try to do the same, but I've noticed that most open-source CMSes I've looked at (Drupal, Joomla, Textpattern, CMS Made Simple) have always stored database credentials inside of DocumentRoot, by default. Not sure if this is a compromise to allow ease-of-use by less-technical users, or if my insistence on putting this sort of file outside of DocumentRoot is just paranoia (and not the good kind). I'd definitely be interested to hear how others on the list approach this problem. And that's only one part of the equation, if you're on a shared-hosting platform. Are you, or do you have your own server? Ben -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: ini files as config - hidden
2009/8/14 Ben Dunlap bdun...@agentintellect.com 2009/8/14 João Cândido de Souza Neto j...@consultorweb.cnt.br: I think a good solution is to put the ini file out of your html folder so only your scripts can read it. I agree, and I try to do the same, but I've noticed that most open-source CMSes I've looked at (Drupal, Joomla, Textpattern, CMS Made Simple) have always stored database credentials inside of DocumentRoot, by default. Not sure if this is a compromise to allow ease-of-use by less-technical users, or if my insistence on putting this sort of file outside of DocumentRoot is just paranoia (and not the good kind). I'd definitely be interested to hear how others on the list approach this problem. And that's only one part of the equation, if you're on a shared-hosting platform. Are you, or do you have your own server? Ben -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php A workaround to this is to simple let the browser get the ini as a php file. What? are you insane? no. it is really easy. 1) Name your ini files .php so, database.ini will be database.php 2) Put in the top of your script this line ;?php exit;? So, when the file is opened as an ini file the semilcolon indicates that it's a comment. But, when the browser call for this file... php just exit's in the first line. Our data will be safe as long as the first line will remains there. -- Martin Scotta
Re: [PHP] Re: ini files as config - hidden
A long time ago I worked in many shared servers, nowadays I´m not working with web sites, only systems, so my customers always has their own server. The question is: 1) The ini file you mentioned has ini extension? if yes, it must be out of the document root because if someone types its url, the browser will certainly show up its content. 2) Has it php extension? if yes, it can be inside the documento root because if someone types its url, PHP will show up only the result of its code.. Ben Dunlap bdun...@agentintellect.com escreveu na mensagem news:7997e80e0908141056i483f4e2h7dffe0c83b90d...@mail.gmail.com... 2009/8/14 João Cândido de Souza Neto j...@consultorweb.cnt.br: I think a good solution is to put the ini file out of your html folder so only your scripts can read it. I agree, and I try to do the same, but I've noticed that most open-source CMSes I've looked at (Drupal, Joomla, Textpattern, CMS Made Simple) have always stored database credentials inside of DocumentRoot, by default. Not sure if this is a compromise to allow ease-of-use by less-technical users, or if my insistence on putting this sort of file outside of DocumentRoot is just paranoia (and not the good kind). I'd definitely be interested to hear how others on the list approach this problem. And that's only one part of the equation, if you're on a shared-hosting platform. Are you, or do you have your own server? Ben -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: ini files as config - hidden
It´s a cool solution as well. Martin Scotta martinsco...@gmail.com escreveu na mensagem news:6445d94e0908141103l6710c766wcc89f05111a65...@mail.gmail.com... 2009/8/14 Ben Dunlap bdun...@agentintellect.com 2009/8/14 João Cândido de Souza Neto j...@consultorweb.cnt.br: I think a good solution is to put the ini file out of your html folder so only your scripts can read it. I agree, and I try to do the same, but I've noticed that most open-source CMSes I've looked at (Drupal, Joomla, Textpattern, CMS Made Simple) have always stored database credentials inside of DocumentRoot, by default. Not sure if this is a compromise to allow ease-of-use by less-technical users, or if my insistence on putting this sort of file outside of DocumentRoot is just paranoia (and not the good kind). I'd definitely be interested to hear how others on the list approach this problem. And that's only one part of the equation, if you're on a shared-hosting platform. Are you, or do you have your own server? Ben -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php A workaround to this is to simple let the browser get the ini as a php file. What? are you insane? no. it is really easy. 1) Name your ini files .php so, database.ini will be database.php 2) Put in the top of your script this line ;?php exit;? So, when the file is opened as an ini file the semilcolon indicates that it's a comment. But, when the browser call for this file... php just exit's in the first line. Our data will be safe as long as the first line will remains there. -- Martin Scotta -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: ini files as config - hidden
1) Name your ini files .php so, database.ini will be database.php Actually I was assuming the configuration file to be a PHP script -- as is typical in big open-source CMSes. I took ini file earlier in the thread to be a generic description of any file, whatever the extension, that contains sensitive configuration data. Our data will be safe as long as the first line will remains there. And as long as the file is actually handed off to PHP for processing. Seems like there are plenty of situations, none of them too far-fetched, that could cause the web server to mistakenly serve a file with .php in its name as a generic text file rather than handling it correctly. I'd rather just have the file outside of DocumentRoot and avoid that risk entirely. But again, maybe that's just unproductive paranoia? Ben -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: ini files as config - hidden
On Fri, 2009-08-14 at 15:03 -0300, Martin Scotta wrote: 2009/8/14 Ben Dunlap bdun...@agentintellect.com 2009/8/14 João Cândido de Souza Neto j...@consultorweb.cnt.br: I think a good solution is to put the ini file out of your html folder so only your scripts can read it. I agree, and I try to do the same, but I've noticed that most open-source CMSes I've looked at (Drupal, Joomla, Textpattern, CMS Made Simple) have always stored database credentials inside of DocumentRoot, by default. Not sure if this is a compromise to allow ease-of-use by less-technical users, or if my insistence on putting this sort of file outside of DocumentRoot is just paranoia (and not the good kind). I'd definitely be interested to hear how others on the list approach this problem. And that's only one part of the equation, if you're on a shared-hosting platform. Are you, or do you have your own server? Ben -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php A workaround to this is to simple let the browser get the ini as a php file. What? are you insane? no. it is really easy. 1) Name your ini files .php so, database.ini will be database.php 2) Put in the top of your script this line ;?php exit;? So, when the file is opened as an ini file the semilcolon indicates that it's a comment. But, when the browser call for this file... php just exit's in the first line. Our data will be safe as long as the first line will remains there. Silly idea. If you want to read in the ini file via PHP to get the values out, why don't you just have them as PHP vars? There's extra overhead involved in processing the ini, which is a big bad idea if the ini is used to hold database details, as not only does the database connection take time, but you've increased the time needed to access the connection details! Way to go! Thanks, Ash http://www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php